DPRK-NEXUS ADVERSARY TARGETS SOUTH-KOREAN INDIVIDUALS IN A NEW CHAPTER OF KITTY PHISHING OPERATION

APT + Intelligence Cluster25 todayApril 11, 2022

The research team at Cluster25 traced a recent activity that started in the first days of April 2022 from a DPRK-nexus threat actor using spear-phishing emails containing korean-based malicious documents with different lures (like the example below) to compromise its victims.

The lures used in the malicious Word documents of this campaign are very different from each other. They vary from the impersonation of the Korea Internet Information Center (KRNIC) to the impersonation of various south-korean Internet Security firms (e.g., AhnLab, Menlo Security, SaniTOX) or Cryptocurrency firms (e.g., Binance).

The target of this campaign seems generic and aimed to steal data from the south-korean individuals. In most of identified infections, indeed, the victims were users having a mail registered on naver dot com, a South Korean web platform that includes free email boxes, news, and search engine functionality. Cluster25 attributed this campaign to a DPRK-nexus adversary as similarities have been identified with the operation Kitty Phishing [1]

EVENT INSIGHTS

The Word document attached to the phishing email exploits a template injection vulnerability (CVE-2017-0199) that allows the threat actors to download a new weaponized document from a remote source. Once the document is opened, a remote URL is contacted (e.g., http:// naveicoipd. tech/ACMS/0lvNAK1t/accountsTemplate) to download the malicious remote template.

The downloaded template embeds a VBA (Visual Basic Application) script that is automatically executed thanks to the already reported vulnerability. This VBA code acts as downloader for the next-stage of the kill-chain using two embedded remote URLs (32-bit and 64-bit versions of the next-stage payload). All the embedded strings in the VBA project are obfuscated through a base64 encoding and a bytes-XOR encryption using a hardcoded XOR key.

Once the next-stage payload is downloaded, various APIs are resolved at runtime through the LoadLibraryA and GetProcAddress APIs (e.g., RtlMoveMemory, CryptBinaryToString, DispCallFunc) and the payload is decoded through the same process used for the embedded strings. Finally, the decoded payload is dropped under the path %LOCALAPPDATA% \Microsoft\TokenBroker\RuntimeBroker.exe and executed through the DispCallFunc API (low-level implementation of the Invoke method).

The executable RuntimeBroker.exe is protected with the UPX packer and it plays the role of a dropper for the late-stage implant. The RuntimeBroker.exe execution starts with two evasion checks aimed at avoiding the execution under sandbox or virtualized environments. In particular, the first check is represented by a time-based sandbox evasion through the GetTickCount API to check for a possible sandbox delay-skip feature.

The second check, instead, is represented by a hardware-based evasion through the CreateFileA API and a direct access on the physical drive \\.\PhysicalDrive0 to check for known HDD Vendor ID (e.g., VBOX, VMware).

After that, the malware performs some checks for a possible antivirus process. In particular, if there is an active process named v3l4sp.exe (V3 Lite Antivirus by AhnLab Inc), the malware deletes itself and exits immediately. Subsequently, the malware tries to access to the C:\ProgramData\Intel directory checking for write permissions.

If the desired permissions on this sub-directory are available, the malware proceeds with an HTTP POST request to a remote URL in order to download the final payload. Once the payload is downloaded, the executable is dropped under the C:\ProgramData\Intel\IntelRST.exe path and a new registry key is created to ensure persistence. The final payload (IntelRST.exe) is heavily packed through a double protection with the ASProtect packing tool. This leads to a partial unpacking of the second layer of protection due to a broken IAT reconstruction.

Despite the packing mechanism it was possible to extract some useful information; first of all, the malware contacts a remote TXT resource stored on a Dropbox cloud server (i.e., https://dl.dropboxusercontent. com/s/k288s9tu2o53v41/zs_url.txt?dl=0) to obtain the domain of the C&C server (i.e., naveicoipd. tech). Once the command and control domain is obtained, the following information about the victim system are exfiltrated through an HTTP POST request to the C&C server:

  • uid: the string Cjtpp17D_ combined with the username of the current logged Windows user.
  • avtype: an integer specifying the infection status of the victim machine
    • The value 2 is specified if the v3l4sp.exe process exists on the system (V3 Lite Antivirus by the south-korean AhnLab Inc)
    • The value 3 is specified if the AYAgent.exe is present on the system (ALYac Enterprise by the south-korean ESTsecurity Corp)
    • The value 1 is specified if neither antivirus is detected.
  • majorv and minorv: integers used to specify the major and minor version of the infected Operating System

Finally, the malware waits for a possible response from the C&C server that could lead to exfiltration and execution of other functionalities. In this campaign all the domains are generated through a DGA (Domain Generation Algorithm) and varies from payload to payload. In most of the cases, the drop-point domains and the C&C domains follows the naveicoip[a-z]{1}[.](online|tech) pattern and looks registered on the Hostinger or Contabo platforms. In some recent cases, certain domains are also registered on the OVH platform.

RELATED CAMPAIGNS

We identified a variants of the described campaign which showed minimal changes in the kill-chain. This one presents a different initial access vector through a Windows Help File (CHM) and a new middle-layer dropper instead of the previous template injection. More in detail, the CHM file has different built-in files which are dropped once the file is opened.

In particular, the most relevant files are an HTML file (called 1hh.htm) and an executable (called WINWORD.exe) representing the middle-layer dropper. Once the CHM file is opened, the HTML file is injected into the CHM view to execute some malicious JavaScript code that forces the creation of a shortcut under C:\ProgramData\chmtemp\ pointing to WINWORD.exe.

Once the shortcut is created, the execution of this middle-layer dropper is initiated through the Click() method on the just created Object instance. Briefly, winword.exe is responsible for the decryption and the execution of the real UPX-packed dropper. The middle-layer dropper performs the same checks already seen in the dropper RuntimeBroker.exe belonging to the other campaign.

After that, the dropper checks for write permissions under %LOCALAPPDATA%\Microsoft\Feeds\ and, in positive case, proceeds with the decryption of the real dropper directly from the memory through an hardcoded key, as evidence following:

Then the file is written under %LOCALAPPDATA%\Microsoft\Feeds\ with the name FeedsBroker.exe and a new registry key is created to ensure the persistence on the victim system. Before the execution of the UPX-packed FeedsBroker.exe the path to this executable is excluded from Microsoft Defender through the following PowerShell command:

  • PowerShell -Command Add-MpPreference -ExclusionPath “PATH_TO_FEEDSBROKER.EXE”

Starting from FeedsBroker.exe, the kill-chain is identical to the just analyzed chain, as described above.

CONCLUSION

Due to the particular situation in the area, similar campaigns targeting organizations and individuals in South Korea can be expected. Such campaigns are unlikely to abate in the foreseeable future in terms of frequency and intensity. We will continue to follow these operations hoping such reporting can help to prevent and mitigate these attacks in many areas. Customers with access to Cluster25 intelligence portal can get more indicators and threat hunting rules about this threat actor following the link

https://intelligence.cluster25.io/actor/80638675-e125-4315-8d32-4e75258d7bc3

For more information about this campaign it’s possibile to send an email to [email protected]

INDICATORS OF COMPROMISE

CATEGORYTYPEVALUE
MALDOCSHA256ab01143169a142b246441b778b7865532ec88fd37e19f690efd00ee5302f0683
MALDOCSHA256f265a04e08a79ea6a4eeacd8294b3af2e1a08ae131018dd1ca195ae900437767
MALDOCSHA2566ed3447bb9fcb5abfe78a628ebcd1a0987c75b18eac5673a3a90a4bbe745b527
MALDOCSHA25696754f46e1ce19a337c3a4368e63ad1135405b383f3d3bd77beefe20926cf89d
MALDOCSHA256a7c17e5fa55bcc60d4cff64dd37d0a1f0cc93f4f44b3cebd5633ca5af413e5cc
MALDOCSHA256dfb4270fb6dc92fdfd9903b4b12bf67897e86a626925f76e4336af60c14683be
MALDOCSHA256a7976205ce8a0e1859df40eb6479fe90cd479644862cdcc8ad99082be0f1d5a1
MALDOCSHA256d2b32b233489eb120c50d7f862e2d20b89c8bb89e595086f85728e69668533e0
MALDOCSHA256ae7275988753fffb29bdb254babdf46773daf935b2721006fe66a1747af3d1d4
MALDOCSHA25606d29b5f1611303a792bb335ecafdd228cf0a1ffd55629f8cc1b9ce25d7fb378
MALDOCSHA256de5cf0c1d3fdb683683e79c3b108159e13dcbd37e2dc1aa7407444708f06197d
MALDOCSHA2564e9ba92b357dcfa79f64f2ca829d31935b5a93059022414ca894a070b625da66
MALDOCSHA256a7976205ce8a0e1859df40eb6479fe90cd479644862cdcc8ad99082be0f1d5a1
MALDOCSHA25676a87057cb72139ed2a2c6776949aabd15134ba887b05bf1e56d46f3e97cda87
MALDOCSHA2562c491a12efee90bd6c76b40ba7b5efb5ccb3ef467a4034f8ebe71e356d36cc85
MALDOCSHA2567ed9edd2dd310b0db4d327475e5d2a06be05b43bffe5a61fa202362f7b8e379f
MALDOCSHA256b8408322430bbd9c685f40733314f8b11f004ce42d947d15a93ce3222293b002
MALDOCSHA2563061132272975b4f7552eedd5184bc7ecd0d3fc7fcdf6fbfe81aa8ac06a10b11
MALDOCSHA256b2a3d4261b0a6845d9ee4f395261946842964591804dfa474355b8e8bd1ad00f
MALDOCSHA256a38628b4fe521655d88e4fe5a9cc074fa4d326a54be8aca6c489a5900d9a95ed
MALDOCSHA256c4e0cb278f80e2ec8f1a2473ee7d53101db331bc9e063839ed72da887eca947b
MALDOCSHA256c17234de3a14deadf84c7acc614345484d10c43a72cccb748de6357b0066c48a
MALDOCSHA2564292984d29374760d2bd62ce665da645ca177e600e61133a4df1f6ca78e74611
MALDOCSHA256cb74f8fb9623413ab69566a3cddbba9488dc1da402b72f7a81bde0a9e8ab168b
MALDOCSHA2562fc71184be22ed1b504b75d7bde6e46caac0bf63a913e7a74c3b65157f9bf1df
TEMPLATESHA2567cea095f281e0a09b27c3c101e9898a5ee4bff89edc4ec4eb83bf363f9f7c472
TEMPLATESHA256cbd6f89dae3b013f598664bb004eeea0a45c8bf31ae2197adab1b8907b65dc12
TEMPLATESHA2566a948792761e207f7e7fe7f3687d02113695304ade00d156ae80a44e5bc5d88b
TEMPLATESHA256c9f02980d38b4a79cbc9512dbee2fd591cbfd9bf9d27ae0e4c074cd55634633a
TEMPLATESHA25633b6d6f52125a046d22f4198a56838ae2b5dbe400dd246f812b4f093ba9eb75a
TEMPLATESHA25694fb3a34ecbde3435934f4cb44d86ff8ea37fda32b2b2ee17881c65654d91e8d
TEMPLATESHA2561fdbe1fa3e070b2b663a5acca5a163d2039ac56c2556e7718c991785d5188c68
TEMPLATESHA2566c83a251c4df74a432b6fc37273a214cbd67466e7e3795ff819db8bb76672007
TEMPLATESHA2563235026de503a1ed2834b634a978ff655486c89787a66aac2f8917d9936c4342
TEMPLATESHA256352d1850f2f6030fa4481728df2575448e88f28169b2f3702465d32b0e61476b
TEMPLATESHA2561ff3d779c207ca18a55208471b7627e15221b29cd5547a1b1f686aaa903d0f3e
TEMPLATESHA256af93284efb7a0599ff14ceed762bbde4e3a01d53802707d3cb74f15ec3aa1a11
TEMPLATESHA256f6c3dbed6f7fcfe320529937cff9d9a1150422375f7c8e0849efaf29ce910bce
DROPPER-UPX-PACKEDSHA256392aba0070375051d7bc3cc478c4bb66c5f55be87ad797800f50a338c3e2479b
DROPPER-UPX-PACKEDSHA256fd5b27049dd38bd1c3951f017a0d27a0a02f8efec7f6fa3a0ed1dc442ea5571b
DROPPER-UPX-PACKEDSHA256bc7d3ac47b50254420513b9eb1563cdfb0a5f61252bf89f188a8aaeca6f2a0cf
DROPPER-UPX-PACKEDSHA256f915bc0dc9536eaa4ffefe7781676cdfe656298f4f1f9b1e56aa84a88db4902d
DROPPER-UPX-PACKEDSHA256409ccb43d482d86d75e50c89ac91dcd2845f75933df99db5efe7673367c91774
DROPPER-UPX-PACKEDSHA2564479c7842388f93cf2cbc4ba76ed2452a6521bd00e3a9c36375f9bf3fc83e7b2
PAYLOAD-ASPACK-PACKEDSHA256e80622ee3b96bf1017463e30e672a6bb268143e84b3d7acc834c6db91725e1da
PAYLOAD-ASPACK-PACKEDSHA256ff3b6894dc1b44e616bc06faeec5d0d5ae75d6619c0b89b6192602cbb5c66ffb
PAYLOAD-ASPACK-PACKEDSHA256042ce8c91c6bc7eeb32e0df4ca95f49d2ae3c372e2dbfd380a78da042d8dd057
DROP-POINT/C&CDOMAINnaveicoipa.tech
DROP-POINT/C&CDOMAINnaveicoipc.tech
DROP-POINT/C&CDOMAINnaveicoipg.online
DROP-POINT/C&CDOMAINnaveicoipe.tech
DROP-POINT/C&CDOMAINnaveicoipf.online
DROP-POINT/C&CDOMAINnaveicoiph.online
DROP-POINT/C&CDOMAIN- REGEXnaveicoip[a-z]{1}[.](online|tech)

ATT&CK MATRIX

TACTICTECHNIQUENAME
Initial AccessT1566.001Phishing: Spearphishing Attachment
Initial AccessT1566.002Phishing: Spearphishing Link
ExecutionT1059.005Command and Scripting Interpreter: Visual Basic
ExecutionT1106Native API
ExecutionT1203Exploitation for Client Execution
PersistenceT1547.001Registry Run Keys / Startup Folder
Defense EvasionT1036Masquerading
Defense EvasionT1562.001Disable or Modify Tools
Defense EvasionT1497Virtualization/Sandbox Evasion
Defense EvasionT1406Obfuscated Files or Information
Defense EvasionT1027.002Software Packing
Defense EvasionT1221Template Injection
Defense EvasionT1006Direct Volume Access
DiscoveryT1518.001Security Software Discovery
DiscoveryT1057Process Discovery
DiscoveryT1083File and Directory Discovery
DiscoveryT1082System Information Discovery
CollectionT1560Archive Collected Data
Command and ControlT1573Encrypted Channel
Command and ControlT1105Ingress Tool Transfer
Command and ControlT1071Application Layer Protocol
Command and ControlT1568Dynamic Resolution: Domain Generation Algorithms

HUNTING AND DETECTION

The following network rules can be used to assist in threat hunting activities for reported threat:

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:”Operation Kitty Phishing Potential Command & Control DNS Resolution”; pcre:”/naveicoip[a-z]{1}.(tech|online)/”; sid:100001; rev:1;)

REFERENCES

[1] https://redalert.nshc.net/2019/01/30/operation-kitty-phishing/

Written by: Cluster25

Tagged as: , , , , .

Previous post

Similar posts

APT Cluster25 / May 13, 2022

Cozy Smuggled Into the Box: APT29 Abusing Legitimate Software for Targeted Operations in Europe

Cozy Bear (aka Nobelium, APT29, The Dukes) is a well-resourced, highly dedicated and organized cyberespionage group that is believed to work in support of the decision-making process of Russian government since at least 2008. Nobelium primarily targets western governments and related organizations, with a particular focus on government, diplomat, political and think tank sectors.  Recently ...

Read more trending_flat

APT Cluster25 / May 3, 2022

The strange link between a destructive malware and a ransomware-gang linked custom loader: IsaacWiper vs Vatet

NOTICE After additional reviews, the team at Cluster25 has determined that the code commonality identified in the two analyzed samples contained in this blog post was coincidental. The code they had in common is aligned with Microsoft standard libraries, and therefore common for use. In this blog post, Cluster25 outlines a code match between two ...

Read more trending_flat